WHAT IS CLAIMED IS: 



1 1 . Apparatus for security applications, the apparatus comprising: 

2 an interface coupled to a storage network, the interface being adapted 

3 to receive a frame from the storage network; 

4 a classifier coupled to the interface, the classifier being adapted to 

5 determine an information type associated with the frame, the type being an initiator, data, or 

6 terminator, the classifier being adapted to determine header information associated with the 

7 frame; and 

8 a content addressable memory coupled to the classifier. 

1 2. Apparatus of claim 1 wherein the content addressable memory 

2 comprises a rule portion and a flow portion, the rule portion being adapted to determine 

3 header information and command information from the initiator frame and the flow portion 

4 being adapted to provide a flow based upon the header information. 

1 3. Apparatus of claim 1 further comprising: 

2 a central processing unit coupled to the classifier; 

3 an action processor coupled to the central processing unit; 

4 a security action processor SAP processor coupled to the central 

5 processing unit, the SAP being adapted to process data block by block; and 

6 an encryption/decryption processor coupled the security action 

7 processor, the encryption/decryption processing being adapted to encrypt/decrypt the data 

8 block by block. 

1 4. Apparatus of claim 1 wherein the initiator determines a read or a write 

2 process. 

1 5. Apparatus of claim 1 wherein the content addressable memory 

2 comprises at least two MBit. 

1 6. Apparatus of claim 1 wherein the interface is adapted to receive the 

2 frame through the fiber channel in a SCSI format. 

1 7. Apparatus of claim 1 wherein the frame is associated with a SCSI 

2 frame format. 
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1 8. Apparatus of claim 1 wherein the classifier is provided on an 

2 integrated circuit chip. 

1 9. Apparatus of claim 1 wherein the classifier is adapted to maintain wire 

2 speed operation while determining the information type and header information associated 

3 with the frame. 

1 10. Apparatus of claim 1 further comprising a flow context random access 

2 memory coupled to the classifier, the flow context random access memory being adapted to 

3 store a policy based upon a flow, the flow being associated with the header information. 

1 11. Apparatus of claim 1 wherein the classifier is used in determining 

2 access controls to target volumes & partitions. 

1 12. Apparatus of claim 1 wherein the classifier is used in allowing access 

2 to specific targets only to authenticated hosts and, in some scenarios applications running on 

3 the hosts. 

1 13. Apparatus of claim 1 wherein the aparatus is operable in a NULL port 

2 in a storage area network. 

1 14. Apparatus for security applications of storage area networks, the 

2 apparatus comprising: 

3 an interface coupled to a storage network, the interface being adapted 

4 to receive a frame from the storage network; 

5 a classifier coupled to the interface, the classifier being adapted to 

6 determine an information type associated with the frame, the type being an initiator, data, or 

7 terminator, the classifier being adapted to determine header information associated with the 

8 frame; and 

9 a content addressable memory coupled to the classifier, the content 

10 addressable memory comprises a rule portion and a flow portion, the rule portion being 

1 1 adapted to determine header information and command information from the initiator frame 

12 and the flow portion being adapted to provide a flow based upon the header information; 

13 a central processing unit coupled to the classifier; 

14 an action processor coupled to the central processing unit; 
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1 5 a security action processor SAP processor coupled to the central 

16 processing unit, the SAP being adapted to process data block by block; and 

17 an encryption/decryption processor coupled the security action 

18 processor, the encryption/decryption processor being adapted to encrypt/decrypt the data 

19 block by block. 

1 15. .Apparatus of claim 14 wherein the initiator determines a read or a 

2 write process. 

1 16. Apparatus of claim 14 wherein the content addressable memory 

2 comprises at least two MBit. 

1 17. Apparatus of claim 14 wherein the interface is adapted to receive the 

2 frame through the fiber channel in a SCSI format. 

1 18. Apparatus of claim 14 wherein the frame is associated with a SCSI 

2 frame format. 

1 19. Apparatus of claim 14 wherein the classifier is provided on an 

2 integrated circuit chip. 

1 20. Apparatus of claim 14 wherein the classifier is adapted to maintain 

2 wire speed operation while determining the information type and header information 

3 associated with the frame. 

1 21. Apparatus of claim 14 further comprising a flow context random 

2 access memory coupled to the classifier, the flow context random access memory being 

3 adapted to store a policy based upon a flow, the flow being associated with the header 

4 information. 

1 22. Apparatus of claim 14 wherein the apparatus is not a switch or a router 

2 or a virtualization device. 

1 23. Apparatus of claim 22 wherein the apparatus further comprises a 

2 switch or a router or a virtualization device. 

1 24. A method for security applications for storage area networks, the 

2 method comprising: 
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3 receiving one or more frames at a security apparatus from a storage area 

4 network device through a fibre channel, the storage area network device being operated by 

5 client device, the client device being coupled to the storage area network device; 

6 determining a frame type of the one or more frames at the security apparatus; 

7 creating a flow process through one or more processors if the frame type of an 

8 initiator frame; 

9 processing one or more subsequent frames associated with the flow process 

10 through the one or more processors at wire speed; 

1 1 whereupon the processing is substantially transparent to a user of the client 

12 device. 
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